At around 7 a.m. Pacific time on January 21, 2010, we started blocking a new spam campaign that was directed to AOL Instant Messenger (AIM) users.
The message with the subject line “Your AIM account is flagged as inactive,” (among other variations) warns AOL AIM users that their AIM account will be “deleted from the system” within 72 hours” unless they download the latest update for the AIM. The email message calls the update “critical.”
A link in the email sends users to an “AIM branded” page. A brief description on the page suggests that “AOL has released an update for AOL Instant Messenger (AIM) which fixes several major bugs.”
When clicked, the download button launches an executable that installs a Zeus bot, which has been used in past campaigns for spamming and for stealing personal information.
As of Thursday evening, Red Condor had blocked more than 250,000 messages and a rescan of viral downloads indicated only one additional anti-virus had recognized this download since the initial report to VirusTotal Thursday morning (8 hours later). This campaign is very similar to the others we have reported on, which use a zombie network for distribution, fast flux hosting, legit domain used in sub-domain portion of spam domain, Polish top level domains, zbot download, browser exploits, etc.
One of the malicious sites linked to in this campaign also attempted to download a malicious .pdf through an iframe, and appears to attempt a Flash exploit specific to version of MSIE and Firefox also through an iframe-based attack.
Red Condor has at least 74 filtering rules in place matching samples from this campaign.